Have you ever thought about all the maintenance that goes into keeping a car operating at peak performance? We follow a maintenance schedule for oil changes and routine servicing. The car has sensors to inform us if something goes wrong and additional service is needed. In rare circumstances, the manufacturer will issue a recall for a design flaw that needs to be repaired. Even if you spend $50,000 on a shiny brand-new car, we recognize these maintenance tasks are needed to keep the car operating properly.
What if you didn’t perform this standard preventative care on your automobile? Would you expect it would continue to run problem free? Are you putting yourself at risk of an accident in the event the car does not perform properly? Most individuals accept that owning a car has certain maintenance requirements and that maintenance results in some inconvenience when you don’t have access to your car.
There are many parallels between car maintenance and software maintenance. So why don’t IT professionals subscribe to the same preventative care for software and vulnerability management?
Software companies have regular patch releases to address software bugs. Microsoft, for example, delivers theirs on the second Tuesday of every month. Cybersecurity industry professionals affectionately call this Patch Tuesday. Just like manufacturers recommend oil changes at regular intervals, software companies recommend applying these patches. Security professionals also have their own sensors and diagnostics set, much like car sensors, called vulnerability scans. They highlight when a known vulnerability is found in a system. These scans often require attention on an ad hoc basis between patching cycles. Sometimes software companies will release an unscheduled patch to address a critical software defect. Think of these as a recall that requires immediate attention. Each of these maintenance steps incurs time, effort, and cost. They often also result in downtime if a system has to be restarted or when the system is unavailable.
So how do companies become more diligent in their software maintenance? Establishing a vulnerability management policy and documenting a software patch cadence is the first step. This should include the frequency in which patches are applied to operating systems and applications, such as Microsoft Office and web browsers. The process should include testing patches in a lab prior to deployment to the whole company since some patches have the potential to unintentionally break system functions.
Second, acquire and maintain a vulnerability management platform. This system scans a company’s infrastructure and checks for software. The vulnerability scanner reports these findings based on criticality. Organizations should prioritize the process of addressing findings based on severity. A critical or high vulnerability should be addressed first while a medium or low may be able to wait until the next patch cycle. Each severity level should be documented in your policy along with a maximum time to remediate the issue.
Third, keep track of your software inventory and monitor if the vendor releases critical patches in between patch cycles. When a critical patch is released, it should be reviewed and prioritized to evaluate the timing to apply it in your company.
Finally, socialize your vulnerability management policy with leadership throughout the organization. Leaders and system owners need to understand the risks that vulnerabilities pose and the necessity of performing routine maintenance to mitigate those risks. By agreeing on the policy and the metrics for patch management, leadership accepts a frequency of system maintenance – including downtime – within the organization.
No one likes taking their car in for service. It means long waits in the waiting room or using a loaner that is never quite as nice as your vehicle. But we accept it as a normal part of owning a car, because it is much more ideal than the alternative of breaking down on a deserted road or, even worse, having an accident due to a malfunction. Using this analogy to frame how we approach IT vulnerability management, we can maintain our software in the same way and reduce the risk of serious incidents within the company.
~ Joe Klein, SideChannel Partner.